Contracts

Information Commissioner’s Office, “Guide to the GDPR”, retrieved on 9th May 2018, licensed under the Open Government Licence.

At a glance

Whenever a controller uses a processor it needs to have a written contract in place.

The contract is important so that both parties understand their responsibilities and liabilities.

The GDPR sets out what needs to be included in the contract.

In the future, standard contract clauses may be provided by the European Commission or the ICO, and may form part of certification schemes. However at the moment no standard clauses have been drafted.

Controllers are liable for their compliance with the GDPR and must only appoint processors who can provide ‘sufficient guarantees’ that the requirements of the GDPR will be met and the rights of data subjects protected. In the future, using a processor which adheres to an approved code of conduct or certification scheme may help controllers to satisfy this requirement – though again, no such schemes are currently available.

Processors must only act on the documented instructions of a controller. They will however have some direct responsibilities under the GDPR and may be subject to fines or other sanctions if they don’t comply.

Checklists

Controller and processor contracts checklist

Our contracts include the following compulsory details:

the subject matter and duration of the processing;

the nature and purpose of the processing;

the type of personal data and categories of data subject; and

the obligations and rights of the controller.

Our contracts include the following compulsory terms:

the processor must only act on the written instructions of the controller (unless required by law to act without such instructions);

the processor must ensure that people processing the data are subject to a duty of confidence;

the processor must take appropriate measures to ensure the security of processing;

the processor must only engage a sub-processor with the prior consent of the data controller and a written contract;

the processor must assist the data controller in providing subject access and allowing data subjects to exercise their rights under the GDPR;

the processor must assist the data controller in meeting its GDPR obligations in relation to the security of processing, the notification of personal data breaches and data protection impact assessments;

the processor must delete or return all personal data to the controller as requested at the end of the contract; and

the processor must submit to audits and inspections, provide the controller with whatever information it needs to ensure that they are both meeting their Article 28 obligations, and tell the controller immediately if it is asked to do something infringing the GDPR or other data protection law of the EU or a member state.

As a matter of good practice, our contracts:

state that nothing within the contract relieves the processor of its own direct responsibilities and liabilities under the GDPR; and

reflect any indemnity that has been agreed.

Processors’ responsibilities and liabilities checklist

In addition to the Article 28.3 contractual obligations set out in the controller and processor contracts checklist, a processor has the following direct responsibilities under the GDPR. The processor must:

only act on the written instructions of the controller (Article 29);

not use a sub-processor without the prior written authorisation of the controller (Article 28.2);

co-operate with supervisory authorities (such as the ICO) in accordance with Article 31;

ensure the security of its processing in accordance with Article 32;

keep records of its processing activities in accordance with Article 30.2;

notify any personal data breaches to the controller in accordance with Article 33;

employ a data protection officer if required in accordance with Article 37; and

appoint (in writing) a representative within the European Union if required in accordance with Article 27.

A processor should also be aware that:

it may be subject to investigative and corrective powers of supervisory authorities (such as the ICO) under Article 58 of the GDPR;

if it fails to meet its obligations, it may be subject to an administrative fine under Article 83 of the GDPR;

if it fails to meet its GDPR obligations it may be subject to a penalty under Article 84 of the GDPR; and

if it fails to meet its GDPR obligations it may have to pay compensation under Article 82 of the GDPR.

In brief

The GDPR makes written contracts between controllers and processors a general requirement, rather than just a way of demonstrating compliance with the seventh data protection principle (appropriate security measures) under the DPA.

These contracts must now include certain specific terms, as a minimum.

These terms are designed to ensure that processing carried out by a processor meets all the requirements of the GDPR (not just those related to keeping personal data secure).

The GDPR allows for standard contractual clauses from the EU Commission or a supervisory authority (such as the ICO) to be used in contracts between controllers and processors – though none have been drafted so far.

The GDPR envisages that adherence by a processor to an approved code of conduct or certification scheme may be used to help controllers demonstrate that they have chosen a suitable processor. Standard contractual clauses may form part of such a code or scheme, though again, no schemes are currently available.

The GDPR gives processors responsibilities and liabilities in their own right, and processors as well as controllers may now be liable to pay damages or be subject to fines or other penalties.

Whenever a controller uses a processor (a third party who processes personal data on behalf of the controller) it needs to have a written contract in place. Similarly, if a processor employs another processor it needs to have a written contract in place.

Contracts between controllers and processors ensure that they both understand their obligations, responsibilities and liabilities. They help them to comply with the GDPR, and help controllers to demonstrate their compliance with the GDPR. The use of contracts by controllers and processors may also increase data subjects’ confidence in the handling of their personal data.

Contracts must set out the subject matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subject, and the obligations and rights of the controller.

Contracts must also include as a minimum the following terms, requiring the processor to:

only act on the written instructions of the controller;

ensure that people processing the data are subject to a duty of confidence;

take appropriate measures to ensure the security of processing;

only engage sub-processors with the prior consent of the controller and under a written contract;

assist the controller in providing subject access and allowing data subjects to exercise their rights under the GDPR;

assist the controller in meeting its GDPR obligations in relation to the security of processing, the notification of personal data breaches and data protection impact assessments;

delete or return all personal data to the controller as requested at the end of the contract; and

submit to audits and inspections, provide the controller with whatever information it needs to ensure that they are both meeting their Article 28 obligations, and tell the controller immediately if it is asked to do something infringing the GDPR or other data protection law of the EU or a member state.

The GDPR allows standard contractual clauses from the EU Commission or a Supervisory Authority (such as the ICO) to be used in contracts between controllers and processors. However, no standard clauses are currently available.

The GDPR also allows these standard contractual clauses to form part of a code of conduct or certification mechanism to demonstrate compliant processing. However, no schemes are currently available.

A processor must only act on the documented instructions of a controller. If a processor determines the purpose and means of processing (rather than acting only on the instructions of the controller) then it will be considered to be a controller and will have the same liability as a controller.

In addition to its contractual obligations to the controller, under the GDPR a processor also has the following direct responsibilities:

not to use a sub-processor without the prior written authorisation of the data controller;

to co-operate with supervisory authorities (such as the ICO);

to ensure the security of its processing;

to keep records of processing activities;

to notify any personal data breaches to the data controller;

to employ a data protection officer; and

to appoint (in writing) a representative within the European Union if needed.

If a processor fails to meet any of these obligations, or acts outside or against the instructions of the controller, then it may be liable to pay damages in legal proceedings, or be subject to fines or other penalties or corrective measures.

If a processor uses a sub-processor then it will, as the original processor, remain directly liable to the controller for the performance of the sub-processor’s obligations.

Cookie Consent Settings

About Cookies

Why we use cookies?

To make this site work properly, sometimes we place small data files called cookies on your device. This is a common practice for websites.

What are cookies?

A cookie is a small text file that a website saves on your computer or mobile device when you visit the site. It enables the website to remember your actions and preferences (such as login, language, font size and other display preferences) over a period of time, so you don’t have to keep re-entering them whenever you come back to the site or browse from one page to another.

How do we use cookies?

There are 4 types of cookies that we use: Strictly Necessary, Performance, Functional and Advertising.

Please remember that if you delete your cookies, or use a different browser or device you will need to reset your cookie consent settings.

Strictly Necessary Cookies Always Active

These cookies are essential to use this website and its features, such as accessing secure areas of the website or using a shopping basket. They are not used for tracking or advertising purposes. We do not share this data. We use the strictly necessary cookies listed below:

Performance Cookies Active

These cookies collect information about how you use a website, such as which pages you visit most often or if you see error messages. These cookies do not collect information that identifies you. Information collected is aggregated and anonymized to improve how this website works. We use the performance cookies listed below:

Functional Cookies Active

These cookies allow this website to remember choices you make, such as your user name, language or your geographical region and provide personalized features. Also, they are used to remember your progress in important features of the website, such as your progress in a video so you can return to the same spot, and features such as changes you made to text size, fonts and other customizations. We use the functitonal cookies listed below:

Targeting Cookies Inactive

These cookies are used to deliver advertisments more relevant to you and your interests. They are also used to limit the number of times you see an advertisement as well as help measure the effectiveness of the advertising campaigns. They remember that you have visited a website and this information is shared with other organisations such as advertisers. We use the advertising cookies listed below: